Turns out the app registers a custom u2f-google URL protocol with the iOS which can be used by any other app (including the Safari browser) to open the app with the necessary payload for the U2F authentication, which has the following format:

u2f-google://auth?data=PAYLOAD&returnUrl=RETURNURL

where PAYLOAD is a JSON string (urlencoded twice) with the following schema:

where CHALLENGEFROMTHEAPP is a cryptographic challenge generated by the U2F client (the WordPress plugin) and registeredKeys is a list of all the registered U2F devices with the U2F client (which must include the U2F key to be used over bluetooth).

The app now sends this data to the U2F key via bluetooth which responds with a message that gets added to the RETURNURL as a URL hash RETURNURL#chaldt=PAYLOAD where PAYLOAD is again double-urlencoded and has the following format:

The Hack

To make the Google Smart Lock app work with the Two Factor plugin, we should adjust the u2f-google link payload with our own data and set the correct returnUrl.

Unfortunately, the Smart Lock app ignores all requests where the returnUrl doesn’t start with https://accounts.google.com/signin which is a real shame because it would allow any site to offer U2F authentication without creating a custom middleware app for talking to U2F keys over bluetooth or NFC.